Re: Secure Web Proxy Stress Testing

Thank you for your answer but as far as I can understand this setup is for a regular proxy that just proxies https protocol with http connect headers (unencrypted traffic between client and proxy on http connect request ) . Secure web proxy encrypts traffic between client and proxy meaning that you have an http connect request inside a tls tunnel.

Re: Secure Web Proxy Stress Testing

On 04/10/2018 11:24 AM, Panagiotis Bariamis wrote:
> Thank you for your answer but as far as I can understand this setup is
> for a regular proxy that just proxies https protocol with http connect
> headers (unencrypted traffic between client and proxy on http connect
> request ) .

Your understanding is incorrect: All the traffic between the client and
the proxy is encrypted in that test.

> Secure web proxy encrypts traffic between client and proxy

Yes, and that is what the Polygraph workload sketch tests. The Squid
port for that workload is an https_port, not an http_port.

> meaning that you have an http connect request inside a tls tunnel.

Yes, if the origin server is talking TLS. Just like a regular HTTP
proxy, an HTTPS proxy can proxy both plain and encrypted origin server
traffic. The latter requires a CONNECT tunnel. Whether the origin server
talks HTTP or HTTPS is a separate variable/issue, unrelated to whether
the client-proxy communication itself is secured.

Re: Secure Web Proxy Stress Testing

On 04/10/2018 11:24 AM, Panagiotis Bariamis wrote:
> Thank you for your answer but as far as I can understand this setup is
> for a regular proxy that just proxies https protocol with http connect
> headers (unencrypted traffic between client and proxy on http connect
> request ) .

Your understanding is incorrect: All the traffic between the client and
the proxy is encrypted in that test.

> Secure web proxy encrypts traffic between client and proxy

Yes, and that is what the Polygraph workload sketch tests. The Squid
port for that workload is an https_port, not an http_port.

> meaning that you have an http connect request inside a tls tunnel.

Yes, if the origin server is talking TLS. Just like a regular HTTP
proxy, an HTTPS proxy can proxy both plain and encrypted origin server
traffic. The latter requires a CONNECT tunnel. Whether the origin server
talks HTTP or HTTPS is a separate variable/issue, unrelated to whether
the client-proxy communication itself is secured.

> I am trying to use Polygraph as suggested .
> However squid servers are part of the University Network so
> routing changes are not possible as suggested by polymix-4.pg
> Which test you think I should use without routing changes (poly
> server and client will have just a public ip and the regular
> loopback inteface) ?

This mailing list is not the right place for Polygraph support[1], but I
recommend writing your own workload for your own tests: Start with
simple.pg, use the IP addresses you want to use, and then add more bells
and whistles as needed (and as you get comfortable with the tool), one
change at a time. This is the approach used by the tutorial[2] as well.